bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

refactor(auth): optimize Claims struct and fix linting issues

JWT improvements:
- Add Confirmation field for DPoP cnf.jkt claim binding
- Reorder Claims struct fields for optimal memory alignment

Test improvements:
- Replace os.Setenv/os.Unsetenv with t.Setenv for cleaner tests
- Use t.Cleanup for automatic environment restoration
- Use UUID for DPoP proof jti to ensure test uniqueness

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 64923a4e b27ecb15

options
unified split
Changed files
+36 -74
internal
atproto
auth
jwt.go
jwt_test.go
+4 -1
internal/atproto/auth/jwt.go 
···

       
87

       
 

       
// Claims represents the standard JWT claims we care about


     

       
88

       
 

       
type Claims struct {


     

       
89

       
 

       
	jwt.RegisteredClaims


     

       
90

       
-

       
	Scope string `json:"scope,omitempty"`


     

       

       

       
     

       

       

       
     

       

       

       
     

       
91

       
 

       
}


     

       
92

       
 

       



     

       
93

       
 

       
// stripBearerPrefix removes the "Bearer " prefix from a token string


     
···

       
87

       
 

       
// Claims represents the standard JWT claims we care about


     

       
88

       
 

       
type Claims struct {


     

       
89

       
 

       
	jwt.RegisteredClaims


     

       
90

       
+

       
	// Confirmation claim for DPoP token binding (RFC 9449)


     

       
91

       
+

       
	// Contains "jkt" (JWK thumbprint) when token is bound to a DPoP key


     

       
92

       
+

       
	Confirmation map[string]interface{} `json:"cnf,omitempty"`


     

       
93

       
+

       
	Scope        string                 `json:"scope,omitempty"`


     

       
94

       
 

       
}


     

       
95

       
 

       



     

       
96

       
 

       
// stripBearerPrefix removes the "Bearer " prefix from a token string
+32 -73
internal/atproto/auth/jwt_test.go 
···

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
 

       
	"context"


     

       
5

       
-

       
	"os"


     

       
6

       
 

       
	"testing"


     

       
7

       
 

       
	"time"


     

       
8

       
 

       



     
···

       
208

       
 

       
	issuer := "https://pds.coves.social"


     

       
209

       
 

       



     

       
210

       
 

       
	ResetJWTConfigForTesting()


     

       
211

       
-

       
	os.Setenv("PDS_JWT_SECRET", secret)


     

       
212

       
-

       
	os.Setenv("HS256_ISSUERS", issuer)


     

       
213

       
-

       
	defer func() {


     

       
214

       
-

       
		os.Unsetenv("PDS_JWT_SECRET")


     

       
215

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
216

       
-

       
		ResetJWTConfigForTesting()


     

       
217

       
-

       
	}()


     

       
218

       
 

       



     

       
219

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", issuer, secret, 1*time.Hour)


     

       
220

       
 

       



     
···

       
237

       
 

       
	issuer := "https://pds.coves.social"


     

       
238

       
 

       



     

       
239

       
 

       
	ResetJWTConfigForTesting()


     

       
240

       
-

       
	os.Setenv("PDS_JWT_SECRET", "correct-secret")


     

       
241

       
-

       
	os.Setenv("HS256_ISSUERS", issuer)


     

       
242

       
-

       
	defer func() {


     

       
243

       
-

       
		os.Unsetenv("PDS_JWT_SECRET")


     

       
244

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
245

       
-

       
		ResetJWTConfigForTesting()


     

       
246

       
-

       
	}()


     

       
247

       
 

       



     

       
248

       
 

       
	// Create token with wrong secret


     

       
249

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", issuer, "wrong-secret", 1*time.Hour)


     
···

       
260

       
 

       
	issuer := "https://pds.coves.social"


     

       
261

       
 

       



     

       
262

       
 

       
	ResetJWTConfigForTesting()


     

       
263

       
-

       
	os.Unsetenv("PDS_JWT_SECRET") // Ensure secret is not set


     

       
264

       
-

       
	os.Setenv("HS256_ISSUERS", issuer)


     

       
265

       
-

       
	defer func() {


     

       
266

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
267

       
-

       
		ResetJWTConfigForTesting()


     

       
268

       
-

       
	}()


     

       
269

       
 

       



     

       
270

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", issuer, "any-secret", 1*time.Hour)


     

       
271

       
 

       



     
···

       
286

       
 

       
	// An attacker tries to use HS256 with an issuer that should use RS256/ES256


     

       
287

       
 

       



     

       
288

       
 

       
	ResetJWTConfigForTesting()


     

       
289

       
-

       
	os.Setenv("PDS_JWT_SECRET", "some-secret")


     

       
290

       
-

       
	os.Setenv("HS256_ISSUERS", "https://trusted.example.com") // Different from token issuer


     

       
291

       
-

       
	defer func() {


     

       
292

       
-

       
		os.Unsetenv("PDS_JWT_SECRET")


     

       
293

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
294

       
-

       
		ResetJWTConfigForTesting()


     

       
295

       
-

       
	}()


     

       
296

       
 

       



     

       
297

       
 

       
	// Create HS256 token with non-whitelisted issuer (simulating attack)


     

       
298

       
 

       
	tokenString := createHS256Token(t, "did:plc:attacker", "https://victim-pds.example.com", "some-secret", 1*time.Hour)


     
···

       
311

       
 

       
	// SECURITY TEST: When no issuers are whitelisted for HS256, all HS256 tokens should be rejected


     

       
312

       
 

       



     

       
313

       
 

       
	ResetJWTConfigForTesting()


     

       
314

       
-

       
	os.Setenv("PDS_JWT_SECRET", "some-secret")


     

       
315

       
-

       
	os.Unsetenv("HS256_ISSUERS") // Empty whitelist


     

       
316

       
-

       
	defer func() {


     

       
317

       
-

       
		os.Unsetenv("PDS_JWT_SECRET")


     

       
318

       
-

       
		ResetJWTConfigForTesting()


     

       
319

       
-

       
	}()


     

       
320

       
 

       



     

       
321

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", "https://any-pds.example.com", "some-secret", 1*time.Hour)


     

       
322

       
 

       



     
···

       
332

       
 

       
	issuer := "https://pds.coves.social"


     

       
333

       
 

       



     

       
334

       
 

       
	ResetJWTConfigForTesting()


     

       
335

       
-

       
	os.Setenv("PDS_JWT_SECRET", "test-secret")


     

       
336

       
-

       
	os.Setenv("HS256_ISSUERS", issuer)


     

       
337

       
-

       
	defer func() {


     

       
338

       
-

       
		os.Unsetenv("PDS_JWT_SECRET")


     

       
339

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
340

       
-

       
		ResetJWTConfigForTesting()


     

       
341

       
-

       
	}()


     

       
342

       
 

       



     

       
343

       
 

       
	// Create RS256-signed token (can't actually sign without RSA key, but we can test the header check)


     

       
344

       
 

       
	claims := &Claims{


     
···

       
414

       
 

       



     

       
415

       
 

       
func TestIsHS256IssuerWhitelisted_Whitelisted(t *testing.T) {


     

       
416

       
 

       
	ResetJWTConfigForTesting()


     

       
417

       
-

       
	os.Setenv("HS256_ISSUERS", "https://pds1.example.com,https://pds2.example.com")


     

       
418

       
-

       
	defer func() {


     

       
419

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
420

       
-

       
		ResetJWTConfigForTesting()


     

       
421

       
-

       
	}()


     

       
422

       
 

       



     

       
423

       
 

       
	if !isHS256IssuerWhitelisted("https://pds1.example.com") {


     

       
424

       
 

       
		t.Error("Expected pds1 to be whitelisted")


     
···

       
430

       
 

       



     

       
431

       
 

       
func TestIsHS256IssuerWhitelisted_NotWhitelisted(t *testing.T) {


     

       
432

       
 

       
	ResetJWTConfigForTesting()


     

       
433

       
-

       
	os.Setenv("HS256_ISSUERS", "https://pds1.example.com")


     

       
434

       
-

       
	defer func() {


     

       
435

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
436

       
-

       
		ResetJWTConfigForTesting()


     

       
437

       
-

       
	}()


     

       
438

       
 

       



     

       
439

       
 

       
	if isHS256IssuerWhitelisted("https://attacker.example.com") {


     

       
440

       
 

       
		t.Error("Expected non-whitelisted issuer to return false")


     
···

       
443

       
 

       



     

       
444

       
 

       
func TestIsHS256IssuerWhitelisted_EmptyWhitelist(t *testing.T) {


     

       
445

       
 

       
	ResetJWTConfigForTesting()


     

       
446

       
-

       
	os.Unsetenv("HS256_ISSUERS")


     

       
447

       
-

       
	defer ResetJWTConfigForTesting()


     

       
448

       
 

       



     

       
449

       
 

       
	if isHS256IssuerWhitelisted("https://any.example.com") {


     

       
450

       
 

       
		t.Error("Expected false when whitelist is empty (safe default)")


     
···

       
453

       
 

       



     

       
454

       
 

       
func TestIsHS256IssuerWhitelisted_WhitespaceHandling(t *testing.T) {


     

       
455

       
 

       
	ResetJWTConfigForTesting()


     

       
456

       
-

       
	os.Setenv("HS256_ISSUERS", "  https://pds1.example.com  ,  https://pds2.example.com  ")


     

       
457

       
-

       
	defer func() {


     

       
458

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
459

       
-

       
		ResetJWTConfigForTesting()


     

       
460

       
-

       
	}()


     

       
461

       
 

       



     

       
462

       
 

       
	if !isHS256IssuerWhitelisted("https://pds1.example.com") {


     

       
463

       
 

       
		t.Error("Expected whitespace-trimmed issuer to be whitelisted")


     
···

       
469

       
 

       
func TestShouldUseHS256_WithKid_AlwaysFalse(t *testing.T) {


     

       
470

       
 

       
	// Tokens with kid should NEVER use HS256, regardless of issuer whitelist


     

       
471

       
 

       
	ResetJWTConfigForTesting()


     

       
472

       
-

       
	os.Setenv("HS256_ISSUERS", "https://whitelisted.example.com")


     

       
473

       
-

       
	defer func() {


     

       
474

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
475

       
-

       
		ResetJWTConfigForTesting()


     

       
476

       
-

       
	}()


     

       
477

       
 

       



     

       
478

       
 

       
	header := &JWTHeader{


     

       
479

       
 

       
		Alg: AlgorithmHS256,


     
···

       
488

       
 

       



     

       
489

       
 

       
func TestShouldUseHS256_WithoutKid_WhitelistedIssuer(t *testing.T) {


     

       
490

       
 

       
	ResetJWTConfigForTesting()


     

       
491

       
-

       
	os.Setenv("HS256_ISSUERS", "https://my-pds.example.com")


     

       
492

       
-

       
	defer func() {


     

       
493

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
494

       
-

       
		ResetJWTConfigForTesting()


     

       
495

       
-

       
	}()


     

       
496

       
 

       



     

       
497

       
 

       
	header := &JWTHeader{


     

       
498

       
 

       
		Alg: AlgorithmHS256,


     
···

       
506

       
 

       



     

       
507

       
 

       
func TestShouldUseHS256_WithoutKid_NotWhitelisted(t *testing.T) {


     

       
508

       
 

       
	ResetJWTConfigForTesting()


     

       
509

       
-

       
	os.Setenv("HS256_ISSUERS", "https://my-pds.example.com")


     

       
510

       
-

       
	defer func() {


     

       
511

       
-

       
		os.Unsetenv("HS256_ISSUERS")


     

       
512

       
-

       
		ResetJWTConfigForTesting()


     

       
513

       
-

       
	}()


     

       
514

       
 

       



     

       
515

       
 

       
	header := &JWTHeader{


     

       
516

       
 

       
		Alg: AlgorithmHS256,


     
···

       
2

       
 

       



     

       
3

       
 

       
import (


     

       
4

       
 

       
	"context"


     

       

       

       
     

       
5

       
 

       
	"testing"


     

       
6

       
 

       
	"time"


     

       
7

       
 

       



     
···

       
207

       
 

       
	issuer := "https://pds.coves.social"


     

       
208

       
 

       



     

       
209

       
 

       
	ResetJWTConfigForTesting()


     

       
210

       
+

       
	t.Setenv("PDS_JWT_SECRET", secret)


     

       
211

       
+

       
	t.Setenv("HS256_ISSUERS", issuer)


     

       
212

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
213

       
 

       



     

       
214

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", issuer, secret, 1*time.Hour)


     

       
215

       
 

       



     
···

       
232

       
 

       
	issuer := "https://pds.coves.social"


     

       
233

       
 

       



     

       
234

       
 

       
	ResetJWTConfigForTesting()


     

       
235

       
+

       
	t.Setenv("PDS_JWT_SECRET", "correct-secret")


     

       
236

       
+

       
	t.Setenv("HS256_ISSUERS", issuer)


     

       
237

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
238

       
 

       



     

       
239

       
 

       
	// Create token with wrong secret


     

       
240

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", issuer, "wrong-secret", 1*time.Hour)


     
···

       
251

       
 

       
	issuer := "https://pds.coves.social"


     

       
252

       
 

       



     

       
253

       
 

       
	ResetJWTConfigForTesting()


     

       
254

       
+

       
	t.Setenv("PDS_JWT_SECRET", "") // Ensure secret is not set (empty = not configured)


     

       
255

       
+

       
	t.Setenv("HS256_ISSUERS", issuer)


     

       
256

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
257

       
 

       



     

       
258

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", issuer, "any-secret", 1*time.Hour)


     

       
259

       
 

       



     
···

       
274

       
 

       
	// An attacker tries to use HS256 with an issuer that should use RS256/ES256


     

       
275

       
 

       



     

       
276

       
 

       
	ResetJWTConfigForTesting()


     

       
277

       
+

       
	t.Setenv("PDS_JWT_SECRET", "some-secret")


     

       
278

       
+

       
	t.Setenv("HS256_ISSUERS", "https://trusted.example.com") // Different from token issuer


     

       
279

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
280

       
 

       



     

       
281

       
 

       
	// Create HS256 token with non-whitelisted issuer (simulating attack)


     

       
282

       
 

       
	tokenString := createHS256Token(t, "did:plc:attacker", "https://victim-pds.example.com", "some-secret", 1*time.Hour)


     
···

       
295

       
 

       
	// SECURITY TEST: When no issuers are whitelisted for HS256, all HS256 tokens should be rejected


     

       
296

       
 

       



     

       
297

       
 

       
	ResetJWTConfigForTesting()


     

       
298

       
+

       
	t.Setenv("PDS_JWT_SECRET", "some-secret")


     

       
299

       
+

       
	t.Setenv("HS256_ISSUERS", "") // Empty whitelist


     

       
300

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
301

       
 

       



     

       
302

       
 

       
	tokenString := createHS256Token(t, "did:plc:test123", "https://any-pds.example.com", "some-secret", 1*time.Hour)


     

       
303

       
 

       



     
···

       
313

       
 

       
	issuer := "https://pds.coves.social"


     

       
314

       
 

       



     

       
315

       
 

       
	ResetJWTConfigForTesting()


     

       
316

       
+

       
	t.Setenv("PDS_JWT_SECRET", "test-secret")


     

       
317

       
+

       
	t.Setenv("HS256_ISSUERS", issuer)


     

       
318

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
319

       
 

       



     

       
320

       
 

       
	// Create RS256-signed token (can't actually sign without RSA key, but we can test the header check)


     

       
321

       
 

       
	claims := &Claims{


     
···

       
391

       
 

       



     

       
392

       
 

       
func TestIsHS256IssuerWhitelisted_Whitelisted(t *testing.T) {


     

       
393

       
 

       
	ResetJWTConfigForTesting()


     

       
394

       
+

       
	t.Setenv("HS256_ISSUERS", "https://pds1.example.com,https://pds2.example.com")


     

       
395

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
396

       
 

       



     

       
397

       
 

       
	if !isHS256IssuerWhitelisted("https://pds1.example.com") {


     

       
398

       
 

       
		t.Error("Expected pds1 to be whitelisted")


     
···

       
404

       
 

       



     

       
405

       
 

       
func TestIsHS256IssuerWhitelisted_NotWhitelisted(t *testing.T) {


     

       
406

       
 

       
	ResetJWTConfigForTesting()


     

       
407

       
+

       
	t.Setenv("HS256_ISSUERS", "https://pds1.example.com")


     

       
408

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
409

       
 

       



     

       
410

       
 

       
	if isHS256IssuerWhitelisted("https://attacker.example.com") {


     

       
411

       
 

       
		t.Error("Expected non-whitelisted issuer to return false")


     
···

       
414

       
 

       



     

       
415

       
 

       
func TestIsHS256IssuerWhitelisted_EmptyWhitelist(t *testing.T) {


     

       
416

       
 

       
	ResetJWTConfigForTesting()


     

       
417

       
+

       
	t.Setenv("HS256_ISSUERS", "") // Empty whitelist


     

       
418

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       
419

       
 

       



     

       
420

       
 

       
	if isHS256IssuerWhitelisted("https://any.example.com") {


     

       
421

       
 

       
		t.Error("Expected false when whitelist is empty (safe default)")


     
···

       
424

       
 

       



     

       
425

       
 

       
func TestIsHS256IssuerWhitelisted_WhitespaceHandling(t *testing.T) {


     

       
426

       
 

       
	ResetJWTConfigForTesting()


     

       
427

       
+

       
	t.Setenv("HS256_ISSUERS", "  https://pds1.example.com  ,  https://pds2.example.com  ")


     

       
428

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
429

       
 

       



     

       
430

       
 

       
	if !isHS256IssuerWhitelisted("https://pds1.example.com") {


     

       
431

       
 

       
		t.Error("Expected whitespace-trimmed issuer to be whitelisted")


     
···

       
437

       
 

       
func TestShouldUseHS256_WithKid_AlwaysFalse(t *testing.T) {


     

       
438

       
 

       
	// Tokens with kid should NEVER use HS256, regardless of issuer whitelist


     

       
439

       
 

       
	ResetJWTConfigForTesting()


     

       
440

       
+

       
	t.Setenv("HS256_ISSUERS", "https://whitelisted.example.com")


     

       
441

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
442

       
 

       



     

       
443

       
 

       
	header := &JWTHeader{


     

       
444

       
 

       
		Alg: AlgorithmHS256,


     
···

       
453

       
 

       



     

       
454

       
 

       
func TestShouldUseHS256_WithoutKid_WhitelistedIssuer(t *testing.T) {


     

       
455

       
 

       
	ResetJWTConfigForTesting()


     

       
456

       
+

       
	t.Setenv("HS256_ISSUERS", "https://my-pds.example.com")


     

       
457

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
458

       
 

       



     

       
459

       
 

       
	header := &JWTHeader{


     

       
460

       
 

       
		Alg: AlgorithmHS256,


     
···

       
468

       
 

       



     

       
469

       
 

       
func TestShouldUseHS256_WithoutKid_NotWhitelisted(t *testing.T) {


     

       
470

       
 

       
	ResetJWTConfigForTesting()


     

       
471

       
+

       
	t.Setenv("HS256_ISSUERS", "https://my-pds.example.com")


     

       
472

       
+

       
	t.Cleanup(ResetJWTConfigForTesting)


     

       

       

       
     

       

       

       
     

       

       

       
     

       
473

       
 

       



     

       
474

       
 

       
	header := &JWTHeader{


     

       
475

       
 

       
		Alg: AlgorithmHS256,